5. What is Risk Management?
Risk management involves having:
4
6. What is Risk Management?
Risk management involves having:
4
7. What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
4
8. What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
– Decision-making processes supported by a framework of risk
analysis and evaluation
4
9. What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
– Decision-making processes supported by a framework of risk
analysis and evaluation
– Processes in place to monitor risk
4
10. What is Risk Management?
Risk management involves having:
– Access to reliable, up-to-date information about risks
– Decision-making processes supported by a framework of risk
analysis and evaluation
– Processes in place to monitor risk
– The right balance of control in place to deal with those risks
(Risk tolerance)
4
12. Risk Principles
– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
5
13. Risk Principles
– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are
clearly communicated to all staff
5
14. Risk Principles
– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are
clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project
management processes
5
15. Risk Principles
– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are
clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project
management processes
– Management of risk is an essential contribution to the achievement of
business objectives
5
16. Risk Principles
– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are
clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project
management processes
– Management of risk is an essential contribution to the achievement of
business objectives
– Risks through working with programmes and tother projects are assessed and
managed
5
17. Risk Principles
– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are
clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project
management processes
– Management of risk is an essential contribution to the achievement of
business objectives
– Risks through working with programmes and tother projects are assessed and
managed
– There is a clear structure to the risk process so that each element of level of
risk identification fits into an overall structure
5
18. Risk Principles
– The Project Board (Supervisors) support and promotes risk management, and
understand and accept the time and resource implementation.
– Risk management policies and the benefits of effective risk management are
clearly communicated to all staff
– A consistent approach to risk management is fully embedded in the project
management processes
– Management of risk is an essential contribution to the achievement of
business objectives
– Risks through working with programmes and tother projects are assessed and
managed
– There is a clear structure to the risk process so that each element of level of
risk identification fits into an overall structure
– Where the project is part of a programme, change in the state of any project
risks that also identified as programme risks must be flagged to programme
management or designated risk management function in the programme.
5
21. Risk Management Cycle
Risk analysis Risk management
Identify the risks
Evaluate the risks
6
22. Risk Management Cycle
Risk analysis Risk management
Identify the risks
Evaluate the risks
Identify suitable
responses to risk
6
23. Risk Management Cycle
Risk analysis Risk management
Identify the risks
Evaluate the risks
Identify suitable
responses to risk
Select
6
24. Risk Management Cycle
Risk analysis Risk management
Identify the risks
Evaluate the risks
Identify suitable
Plan and resource
responses to risk
Select
6
25. Risk Management Cycle
Risk analysis Risk management
Identify the risks
Evaluate the risks Monitor and report
Identify suitable
Plan and resource
responses to risk
Select
6
26. Risk Management Cycle
Risk analysis Risk management
Identify the risks
Evaluate the risks Monitor and report
Identify suitable
Plan and resource
responses to risk
Select
6
45. Identify suitable EXAMPLE
responses to risk
Terminate the risk - by doing things differently and thus removing the
risk, where it is feasible to do so. Countermeasures are put in place that
Prevention either stop the the threat or problem from occurring or prevent it having
any impact
Treat the risk - take action to control it in some way where the actions
Reduction either reduce the likelihood of the risk developing or limit the impact
This is a specialist form of risk reduction where the management of the
risk is passed to a third party via, for instance, an insurance policy or
Transference penalty clause, such that the impact of the risk is no longer an issue for
the health of the project. Not all risks can be transferred in this way
Tolerate the risk - perhaps because nothing can be done at a reasonable
Acceptance cost to mitigate it or the likelihood and impact of the risk occurring are at
an acceptable level
These are actions planned and organised to come into force as and when
Contingency the risk occurs
9
46. Identify suitable EXAMPLE
responses to risk
Terminate the risk - by doing things differently and thus removing the
risk, where it is feasible to do so. Countermeasures are put in place that
Prevention either stop the the threat or problem from occurring or prevent it having
any impact
Treat the risk - take action to control it in some way where the actions
Reduction either reduce the likelihood of the risk developing or limit the impact
This is a specialist form of risk reduction where the management of the
risk is passed to a third party via, for instance, an insurance policy or
Transference penalty clause, such that the impact of the risk is no longer an issue for
the health of the project. Not all risks can be transferred in this way
Tolerate the risk - perhaps because nothing can be done at a reasonable
Acceptance cost to mitigate it or the likelihood and impact of the risk occurring are at
an acceptable level
These are actions planned and organised to come into force as and when
Contingency the risk occurs
9
47. Identify suitable EXAMPLE
responses to risk
Terminate the risk - by doing things differently and thus removing the
risk, where it is feasible to do so. Countermeasures are put in place that
Prevention either stop the the threat or problem from occurring or prevent it having
any impact
Treat the risk - take action to control it in some way where the actions
Reduction either reduce the likelihood of the risk developing or limit the impact
This is a specialist form of risk reduction where the management of the
risk is passed to a third party via, for instance, an insurance policy or
Transference penalty clause, such that the impact of the risk is no longer an issue for
the health of the project. Not all risks can be transferred in this way
Tolerate the risk - perhaps because nothing can be done at a reasonable
Acceptance cost to mitigate it or the likelihood and impact of the risk occurring are at
an acceptable level
These are actions planned and organised to come into force as and when
Contingency the risk occurs
9
48. Identify suitable EXAMPLE
responses to risk
Terminate the risk - by doing things differently and thus removing the
risk, where it is feasible to do so. Countermeasures are put in place that
Prevention either stop the the threat or problem from occurring or prevent it having
any impact
Treat the risk - take action to control it in some way where the actions
Reduction either reduce the likelihood of the risk developing or limit the impact
This is a specialist form of risk reduction where the management of the
risk is passed to a third party via, for instance, an insurance policy or
Transference penalty clause, such that the impact of the risk is no longer an issue for
the health of the project. Not all risks can be transferred in this way
Tolerate the risk - perhaps because nothing can be done at a reasonable
Acceptance cost to mitigate it or the likelihood and impact of the risk occurring are at
an acceptable level
These are actions planned and organised to come into force as and when
Contingency the risk occurs
9
49. Identify suitable EXAMPLE
responses to risk
Terminate the risk - by doing things differently and thus removing the
risk, where it is feasible to do so. Countermeasures are put in place that
Prevention either stop the the threat or problem from occurring or prevent it having
any impact
Treat the risk - take action to control it in some way where the actions
Reduction either reduce the likelihood of the risk developing or limit the impact
This is a specialist form of risk reduction where the management of the
risk is passed to a third party via, for instance, an insurance policy or
Transference penalty clause, such that the impact of the risk is no longer an issue for
the health of the project. Not all risks can be transferred in this way
Tolerate the risk - perhaps because nothing can be done at a reasonable
Acceptance cost to mitigate it or the likelihood and impact of the risk occurring are at
an acceptable level
These are actions planned and organised to come into force as and when
Contingency the risk occurs
9
50. Balance the risk
Select
Cost of actions
Probability and
impact of risk
occurring
10
51. Risk action selection Possible
action 2
Select
Possible Possible
Cost/time
action 1 action 3
Cost/time Cost/time
Risk tolerance
Selection
Risk tolerance
11
52. Risk action selection Possible
action 2
Select
Possible Possible
Cost/time
action 1 action 3
Cost/time Cost/time
Risk tolerance
Selection
Impact on Impact on
other parts plans
Risk tolerance
of the project
Impact on Impact on
Business Case business or
programme
11
54. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
12
55. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
12
56. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
– Developing a detailed plan of action
12
57. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
– Developing a detailed plan of action
– Confirming the desirability of carrying out the actions
12
58. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
– Developing a detailed plan of action
– Confirming the desirability of carrying out the actions
– Obtaining management approval
12
59. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
– Developing a detailed plan of action
– Confirming the desirability of carrying out the actions
– Obtaining management approval
Resourcing, which to be used to conduct the work involved in
carrying out the actions:
12
60. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
– Developing a detailed plan of action
– Confirming the desirability of carrying out the actions
– Obtaining management approval
Resourcing, which to be used to conduct the work involved in
carrying out the actions:
– These assignments will be shown in Project and Stage Plans
12
61. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
– Developing a detailed plan of action
– Confirming the desirability of carrying out the actions
– Obtaining management approval
Resourcing, which to be used to conduct the work involved in
carrying out the actions:
– These assignments will be shown in Project and Stage Plans
– Resources requiring funding from the project budget
12
62. Risk Management Cycle
Plan and resource
Planning, which for countermeasure actions consist of:
– Identifying the quantity and type of resources required to carry out
the actions
– Developing a detailed plan of action
– Confirming the desirability of carrying out the actions
– Obtaining management approval
Resourcing, which to be used to conduct the work involved in
carrying out the actions:
– These assignments will be shown in Project and Stage Plans
– Resources requiring funding from the project budget
– Contingency actions will normally be funded from a contingency
budget
12
65. Risk Management Cycle
Monitor and report
Monitoring, may consist of:
–Checking that execution of the planned actions is having
the desired effect
13
66. Risk Management Cycle
Monitor and report
Monitoring, may consist of:
–Checking that execution of the planned actions is having
the desired effect
–Watching for the early warning signs that a risk is
developing
13
67. Risk Management Cycle
Monitor and report
Monitoring, may consist of:
–Checking that execution of the planned actions is having
the desired effect
–Watching for the early warning signs that a risk is
developing
–Modelling trends, predicting potential risks or
opportunities
13
68. Risk Management Cycle
Monitor and report
Monitoring, may consist of:
–Checking that execution of the planned actions is having
the desired effect
–Watching for the early warning signs that a risk is
developing
–Modelling trends, predicting potential risks or
opportunities
–Checking that the overall management of risk is being
applied effectively.
13
70. Risk Responsibilities
The Project Manager is responsible for ensuring that risks are
identified, recorded and regularly reviewed. The Project Board has
four responsibilities:
14
71. Risk Responsibilities
The Project Manager is responsible for ensuring that risks are
identified, recorded and regularly reviewed. The Project Board has
four responsibilities:
• Notifying the Project Manager of any external risk exposure to the
project
14
72. Risk Responsibilities
The Project Manager is responsible for ensuring that risks are
identified, recorded and regularly reviewed. The Project Board has
four responsibilities:
• Notifying the Project Manager of any external risk exposure to the
project
• Making decisions on the Project Manager’s recommended reactions
to risk
14
73. Risk Responsibilities
The Project Manager is responsible for ensuring that risks are
identified, recorded and regularly reviewed. The Project Board has
four responsibilities:
• Notifying the Project Manager of any external risk exposure to the
project
• Making decisions on the Project Manager’s recommended reactions
to risk
• Striking a balance between the level of risk and the potential
benefits that the project may achieve
14
74. Risk Responsibilities
The Project Manager is responsible for ensuring that risks are
identified, recorded and regularly reviewed. The Project Board has
four responsibilities:
• Notifying the Project Manager of any external risk exposure to the
project
• Making decisions on the Project Manager’s recommended reactions
to risk
• Striking a balance between the level of risk and the potential
benefits that the project may achieve
• Notifying corporate or programme management of any risks that
affect the project’s ability to meet corporate or programme
objectives.
14
76. Risk Ownership
Allocating ownership of the risk process as a whole and the various
components is fundamental from the outset. When describing who
owns the various elements of risk, it is important to identify who owns
the following:
15
77. Risk Ownership
Allocating ownership of the risk process as a whole and the various
components is fundamental from the outset. When describing who
owns the various elements of risk, it is important to identify who owns
the following:
• The risk framework in totality
15
78. Risk Ownership
Allocating ownership of the risk process as a whole and the various
components is fundamental from the outset. When describing who
owns the various elements of risk, it is important to identify who owns
the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
15
79. Risk Ownership
Allocating ownership of the risk process as a whole and the various
components is fundamental from the outset. When describing who
owns the various elements of risk, it is important to identify who owns
the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
• Different elements of the risk process, such as identifying threats,
through to producing risk response and reporting
15
80. Risk Ownership
Allocating ownership of the risk process as a whole and the various
components is fundamental from the outset. When describing who
owns the various elements of risk, it is important to identify who owns
the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
• Different elements of the risk process, such as identifying threats,
through to producing risk response and reporting
• Implementation of the actual measures taken in response to the
risks
15
81. Risk Ownership
Allocating ownership of the risk process as a whole and the various
components is fundamental from the outset. When describing who
owns the various elements of risk, it is important to identify who owns
the following:
• The risk framework in totality
• Setting risk policy and the project team’s willingness to take risk
• Different elements of the risk process, such as identifying threats,
through to producing risk response and reporting
• Implementation of the actual measures taken in response to the
risks
• Interdependent risks that cross organisational boundaries, whether
they be related to business processes, IT systems or other projects.
15
83. Risk Analysis
Asset Threat Vulnerability Mitigation
What are you trying What are you afraid How could the What is currently
to protect? of happening? threat occur? reducing the risk?
Impact/Severity Probability/Likelihood
What is the impact to the business? How likely is the threat?
1. Negligible 1. Unforeseeable
2. Minor 2. Very unlikely
3. Moderate 3. Possible
4. Major 4. Likely
5. Critical 5. Very Likely
6. Catastrophic 6. Almost certain
Risk Log
17
84. Risk Log
EXAMPLE
Risk Log Tolerability level
12
Impact Probability Risk rating
Priority Hazard
(I)(1-6) (P)(1-6) (I x P)
1 Data loss due to virus 5 4 20
2 Denial of service attack 5 3 15
3 Theft of proprietary information 4 3 12
4 Insider net abuse 4 3 12
5 Abuse or wireless networks 3 4 12
6 Financial fraud 5 2 10
7 Laptop theft 3 3 9
8 Unauthorised access 3 3 9
9 Telecom fraud 2 3 6
10 Website hacking/defacement 3 2 6
11 System penetration 3 2 6
12 Sabotage 4 1 4
18
86. EXAMPLE
Risk Profile
Use of a easy-to-read diagram
may assist in the visibility of risks
and assist management decisions
- these would be normally found
in the Risk Logs
20
87. EXAMPLE
Risk Profile
Risk tolerance line
Probability/Likelihood
High 1,2 5
Medium 4 3
Low 6,9 7,8
Low Medium High
Impact
20
88. Analysing Risk
EXAMPLE
Factor Likelihood Impact Mitigation Strategy
Failure to recruit staff Medium High Minimise number of staff to be recruited. Ensure
recruitment cycle begins as rapidly after project
approved as possible. Ensure remuneration
adequate to level of responsibility and expertise. Use
specialist recruitment agency if necessary. Other
staff seconded from other duties and additionally
trained as triage solution.
Underestimate Low Medium Close integration with OSS community effort to
difficulty of specific mobilise additional resource to bear on problem
technical development space.
Difficulty integrating Medium High Deploy Identity Management software based on
with data sources for open standards. Direct engagement with systems
identity specialists.
Difficulty integrating Medium High Work with the various Engineering institutions to
the numerous develop a concept concerning the creation and
electronic systems adoption of Standards (i.e. LEAP2A)
within the Engineering
framework
Project fails sufficiently Low High Staff within the University of Hull, particularly the
to engage engineering Knowledge Exchange will ensure that the ‘learner
communities voice’ is represented throughout the project,
inclusive of the broad diversity (including
geographic) of learners represented within the
partnership.
89. Budgeting for risk management
• A project needs to allocate and have embedded in the
project environment:
–Budget
–Time
–Resources (staff/skills/tools/techniques)
to ensure Risk Management is carried out successfully
• Experience shows that allocating the correct ‘budget’
to the risk management process early on will pay
dividends later
22
90. Further considerations
– Project Interdependencies
– The relationship between benefit and
delivery risks
– Internal versus external risks
23